Answer the question
In order to leave comments, you need to log in
A
A
Alexander2021-09-02 19:30:29
Alexander, 2021-09-02 19:30:29
Is it OK to store the phone verification code by SMS in cookies?
I must say right away that it is not necessary to offer me other ways to solve authorization by SMS - I know and use them.
There is a question about such storage.
The meaning is as follows - by sending an authorization code to the user's phone, we simultaneously save a hashed cookie with this code to the user's device. Hash from the code, time and changeable salt.
At the time of sending the code, we also receive this cookie and perform a check.
What are the pitfalls of such authorization?
1 answer(s)
@pro100chel
S
SKEPTIC, 2021-09-02 @pro100chel
Why do you want to use this stupid way to store code?
What kind of hash is this from the code, time and salt?
Something like sha256("1630540800|salt2281488|99414")?
How are you going to validate this code? In any case, you need to store time and salt on the server.
What's the point of using this scheme then? Either way, a compromised server will allow an attacker to steal the code.
The whole code scheme for mail / sms comes down to a simple plate.
id|code|token|attemps|expired
Everything, nothing more.
When requesting a code, we hang cookies with an identifier (secret token) of the code in the database. When trying to enter, we check expired and attemps. Optionally, attemps can be moved to a separate table in order to slightly solve the problem, when an attacker can use, say, not 3 attempts, but a little more.
Similar questions
V
I
Innokenty Ivanov2016-11-21 05:33:48
What is the difference between USB U2F and regular USB token?
1Reply
Y
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question